OWASPAppSec2007Milan_SecurityEngineeringInVista
Download
Report
Transcript OWASPAppSec2007Milan_SecurityEngineeringInVista
How the Security Development
Lifecycle (SDL) Improved
Windows Vista
Alex Lucas
Lead Security Software Engineer
Microsoft Corporation
[email protected]
6th OWASP
AppSec
Conference
Milan - May 2007
Copyright © 2007 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the
terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this
license, visit http://creativecommons.org/licenses/by-sa/2.5/
The OWASP Foundation
http://www.owasp.org/
Background
UK Security Science/Pentest Team Lead for MS.
Shamelessly stolen Mike Howard’s slides
How SDL Improves products
Vista Focus
6th OWASP AppSec Conference – Milan – May 2007
2
Windows Vista Engineering Process
(from 35,000ft!)
Prescriptive
Guidance
Mandatory
Education
“Quality
Gates”
Central
analysis
Threat
analysis
External
Review
Software Security Science
6th OWASP AppSec Conference – Milan – May 2007
3
Windows
WindowsVista
XP
Security Bug Tracking
Component
Team
PREfix, Default Permissions
Training
Threat Models
Component level
code review and
testing
Buddy
Quality
Code
Gates
Review
Security
PREfast
Banned API Removal
SAL Annotations
FxCop
Privacy, Reliability, …
Design & Attack Surface Review
In Depth Threat Model Review
“Winmain”
Main Source
Tree
Penetration Testing
Mini-Security Push (if necessary)
Network and File Parser testing
Special Cleanup Projects
6th OWASP AppSec Conference – Milan – May 2007
4
Why All This Security Work?
The threats have changed,
customers are demanding
increased security and reduced
support costs.
There is no one silver
bullet.
6th OWASP AppSec Conference – Milan – May 2007
5
Guidance and Education
• All engineers must attend “The Basics”
– Introductory secure design, coding and testing
• On-going yearly security education required for
all engineers
– Over a dozen in-depth classes
• Raise awareness, set expectations, realize what
you don’t know
• Learn to not make mistakes!
• Writing Secure Code 2nd is required reading
6th OWASP AppSec Conference – Milan – May 2007
6
“Quality Gates”
• “Stop the Bleeding”
• Catch bugs early
• Battery of tools run on the check-in that look for:
– Banned APIs
• Enforce use of safer C runtime functions
Correct use of Standard Annotation Language (SAL)
Banned crypto
Buffer overruns
Integer arithmetic issues (overflow, underflow, truncation,
‘signedness’)
– Weak ACLs
– … and much, much more
–
–
–
–
• Other quality gates include privacy, reliability etc.
6th OWASP AppSec Conference – Milan – May 2007
7
HANG ON … WHAT’S SAL?
6th OWASP AppSec Conference – Milan – May 2007
8
Standard Annotation Language
• Used by static analysis tools such as PREfast and
/analyze (Visual Studio 2005)
• Benefits of adding annotations to your code:
– Help the tools find harder to find bugs
– The process of adding annotations finds bugs!
– Bugs found are low noise
6th OWASP AppSec Conference – Milan – May 2007
9
SAL at Work
void FillString(
TCHAR* buf,
size_t cchBuf,
TCHAR ch) {
These two arguments are related,
but the compiler does not know!
for (size_t i = 0; i < cchBuf; i++)
buf[i] = ch;
}
{
}
6th OWASP AppSec Conference – Milan – May 2007
10
SAL at Work
void FillString(
__out_ecount(cchBuf) TCHAR* buf,
size_t cchBuf,
TCHAR ch) {
for (size_t i = 0; i < cchBuf; i++)
buf[i] = ch;
}
{
}
6th OWASP AppSec Conference – Milan – May 2007
11
SAL at Work
Element count.
Other example includes
bcount, byte count.
__out_ecount(cchBuf)
Out buffer, function will write to the buffer.
Other examples include __in and __inout
Must check
return value
Optional, can be NULL
__checkReturn __bcount_opt(_Size)
malloc(__in size_t _Size);
6th OWASP AppSec Conference – Milan – May 2007
12
SAL at Work
void FillString(
__out_ecount(cchBuf) TCHAR* buf,
size_t cchBuf,
TCHAR ch) {
for (size_t i = 0; i < cchBuf; i++)
buf[i] = ch;
}
{
}
void main() {
TCHAR *buff = malloc(200 * sizeof(TCHAR));
FillString(buff,210,_T(’x’));
}
Warning C6386: Buffer overrun: accessing 'argument 1',
the writable size is ‘200*2' bytes, but '420' bytes might be written: Lines: 33, 34
Warning C6387: 'argument 1' might be '0': this does not adhere to
the specification for the function 'FillString': Lines: 33, 34
6th OWASP AppSec Conference – Milan – May 2007
13
Central Analysis (1 of 2)
• Inter-procedural static analysis
• Binary analysis detects compiler and linker
requirements
• Attack Surface Analysis
– Weak ACLs, Service configuration, etc.
• Central removal of banned APIs and weak crypto
– ~50% of banned APIs removed automatically
– Large % automatically migrated by compiler if
destination buffer size is known at compile time
char buf[32];
strcpy(buf,src);
char buf[32];
strcpy_s(buf,src,32);
6th OWASP AppSec Conference – Milan – May 2007
14
Central Analysis (2 of 2)
• A HUGE quantity of bugs found “in the wild”
today are due to malformed data
– Fuzz testing can find these bugs
• Central fuzz-testing team
– Performed primarily by our group
• Identify and fuzz all file formats consumed by
the operating system
– Minimum 100,000 malformed files per parser
• Fuzz many networking protocols, including RPC
6th OWASP AppSec Conference – Milan – May 2007
15
A Note About Tools
Tools DO NOT MAKE SOFTWARE
SECURE! They help scale the
process and they help enforce policy
6th OWASP AppSec Conference – Milan – May 2007
16
Threat Analysis
Threat models help find design issues
All components in Windows Vista are threat
modeled
We’ve learned a great deal about making TMs
easier to create by non-security experts
We’ve moved away from threat trees to patterns of
threats
Risk heuristics instead of risk calculations
6th OWASP AppSec Conference – Milan – May 2007
17
External Review
Most security work is performed by core
Windows Vista engineers
Our team and external security consultants also:
Review feature designs
Review code
Review threat models
Perform black-box testing
6th OWASP AppSec Conference – Milan – May 2007
18
If all the upfront engineering fails…
Windows Vista Defenses
• Core assumptions
– Code is never perfect
– Designs are never perfect
– We must protect customers
• Remember, security is “Man vs. Man”
– Security is a never-ending arms race
– You can never be “done” with security so long as the
adversary is still breathing
• Windows Vista includes numerous defenses
6th OWASP AppSec Conference – Milan – May 2007
19
Windows Vista Defenses
Four broad categories
Security Features
Service Hardening
Isolation
Memory defenses
6th OWASP AppSec Conference – Milan – May 2007
20
Windows Vista Defenses
Security Features (1 of 2)
Windows Vista firewall is integrated with IPSec
Bi-directional
On by default
BitLocker full volume drive encryption
Only in Windows Vista Ultimate and Enterprise
Mitigate the stolen laptop scenario
Provides integrity for the boot process
Can use TPM 1.2 or USB
Windows Defender
Can be disabled by ISVs
6th OWASP AppSec Conference – Milan – May 2007
21
Windows Vista Defenses
Security Features (2 of 2)
• PatchGuard
• X64 only (a tiny market today)
– In Windows XP SP2 and Windows Server 2003
– Rootkits are a huge threat to systems
• Often load in the kernel
• Hard to detect
• Hard to remove
– Only load signed code in the kernel
– Prevents code from patching the kernel in unsupported ways
– Increased stability and security
• Windows Security Center
– Provides holistic security state
– Customers understand it
– Extensible by ISVs
6th OWASP AppSec Conference – Milan – May 2007
22
Windows Vista Defenses
Service Hardening (1 of 2)
Services (daemons) are attractive targets
No need for user interaction
Long-lived
Often run elevated
Malware often:
Alters the OS
Opens network ports
6th OWASP AppSec Conference – Milan – May 2007
23
Windows Vista Defenses
Service Hardening (2 of 2)
Many existing services moved out of SYSTEM
Describe the privileges you need
Per-service identity (SID)
Protect objects for just that service
Stricter service restart policy
Restrict network behavior
Eg: foo.exe can only open port TCP/123 inbound
|Action=Allow|Dir=In|LPORT=123|Protocol=17
|App=%SystemRoot%\foo.exe
6th OWASP AppSec Conference – Milan – May 2007
24
Case Study: DHCP Client
Windows XP SP2 Windows Vista
Account
Privileges
Network Identity?
SYSTEM
24
Yes (Machine
Account)
LOCAL SERVICE
4
No
Uses Fixed Set of
Ports?
Data accessible
only by service?
(Service SID)
No
Yes
No
Yes
6th OWASP AppSec Conference – Milan – May 2007
25
Windows Vista Defenses
Isolation
• Users are no longer admins (by default)
– Even an admin is not an admin (by default)
• Integrity levels help contain damage
– IE7 runs in low integrity (by default)
• Protected Mode
– Most parts of the operating system are medium
integrity
– Restricts “Write-Up”
– Helps defend integrity of the operating system
6th OWASP AppSec Conference – Milan – May 2007
26
Windows Vista Defenses
Memory defenses (1 of many)
• Stack protection (aka /GS, enabled by default)
– Detects stack-based overruns
– Re-arranges the stack so buffers are in higher
memory (helps protect variables)
– Moves various arguments to lower memory
• Stack is randomized for each thread (by default)
• Heap is randomized (by default)
• Exception handler protection (aka /SafeSEH,
enabled by default)
– Exception addresses are verified at runtime
6th OWASP AppSec Conference – Milan – May 2007
27
Windows Vista Defenses
Memory defenses (2 of many)
Data Execution
Protection (aka NX/XD,
enabled by default†)
Harder to execute data
In Windows Vista, DEP
cannot be disabled once
turned on for a process
† Most CPUs today support DEP, but
make sure it’s enabled in the BIOS
6th OWASP AppSec Conference – Milan – May 2007
28
Windows Vista Defenses
Memory defenses (3 of many)
• Heap defenses (all by default)
– Lookasides no longer used
– Arrays of free lists no longer used
– Early detection of errors due to block header integrity
check
• ENTRY->Flink->Blink == ENTRY->Blink->Flink == ENTRY
– Heap TerminateOnCorruption
– Dynamic adjustment of algorithms based upon the usage
– All enabled by default
• Integer overflow calling operator::new
automatically detected at runtime (by default)
6th OWASP AppSec Conference – Milan – May 2007
29
Windows Vista Defenses
Memory defenses (4 of many)
• Image randomization (ASLR)
– System images are loaded randomly into 1 of 256
‘slots’
– Changes on each boot
– To be effective, ASLR requires DEP
– Enabled by default
– Link with /dynamicbase for non-system images
• Long-lived pointers are encoded and decoded
– A successful pointer overwrite must survive the
decoding process (XOR with a random number)
6th OWASP AppSec Conference – Milan – May 2007
30
Default Exploit Mitigations on Popular Client
Operating Systems
Apple Mac OS X
OpenBSD 3.x
Heap
RedHat Enterprise Linux 4
Stack
Windows XP SP2
Windows Vista
Images
Section Reordering
EXE Randomization
DLL Randomization
Frame Protection
Exception Protection
Local Variable Protection
Randomization
Non-Executable
Metadata Protection
Randomization
Non-Executable
Full Coverage
Partial Coverage
No Coverage
6th OWASP AppSec Conference – Milan – May 2007
31
Software Security Science
• Security is “Man vs. Man”
• We must continue to innovate
• We must continue to learn more about attackers
– And how to thwart them
• We perform root-cause analysis of each security
bug
• We analyze bugs from around the industry
• We work closely with security researchers
• Feeds back into the SDL twice a year
6th OWASP AppSec Conference – Milan – May 2007
32
Summary
• Threats have evolved
• Customers are asking Microsoft to provide a
more secure base operating system
• We have substantially improved our
development process
• We have added many defenses to the OS
• We will continue to provide fundamental security
functionality that protects users while still
providing opportunities for developers
6th OWASP AppSec Conference – Milan – May 2007
33
Questions?
[email protected]
Recommended:
http://blogs.msdn.com/sdl/
6th OWASP AppSec Conference – Milan – May 2007
34
Backup Slides
6th OWASP AppSec Conference – Milan – May 2007
35
Banned APIs
strcpy, strcpyA, strcpyW, wcscpy,
_tcscpy, _mbscpy, StrCpy, StrCpyA,
StrCpyW, lstrcpy, lstrcpyA, lstrcpyW,
_tccpy, _mbccpy
strcat, strcatA, strcatW, wcscat,
_tcscat, _mbscat, StrCat, StrCatA,
StrCatW, lstrcat, lstrcatA, lstrcatW,
StrCatBuff, StrCatBuffA, StrCatBuffW,
StrCatChainW, _tccat, _mbccat
strncpy, wcsncpy, _tcsncpy, _mbsncpy,
_mbsnbcpy, StrCpyN, StrCpyNA,
StrCpyNW, StrNCpy, strcpynA,
StrNCpyA, StrNCpyW, lstrcpyn,
lstrcpynA, lstrcpynW
strncat, wcsncat, _tcsncat, _mbsncat,
_mbsnbcat, StrCatN, StrCatNA,
StrCatNW, StrNCat, StrNCatA,
StrNCatW, lstrncat, lstrcatnA, lstrcatnW,
lstrcatn
CharToOem, CharToOemA,
CharToOemW, OemToChar,
OemToCharA, OemToCharW,
CharToOemBuffA, CharToOemBuffW
alloca, _alloca
wnsprintf, wnsprintfA, wnsprintfW,
sprintfW, sprintfA, wsprintf, wsprintfW,
wsprintfA, sprintf, swprintf, _stprintf,
_snwprintf, _snprintf, _sntprintf,
wvsprintf, wvsprintfA, wvsprintfW,
vsprintf, _vstprintf, vswprintf,
_vsnprintf, _vsnwprintf, _vsntprintf,
wvnsprintf, wvnsprintfA, wvnsprintfW
strtok, _tcstok, wcstok, _mbstok
makepath, _tmakepath, _makepath,
_wmakepath, _splitpath, _tsplitpath,
_wsplitpath
scanf, wscanf, _tscanf, sscanf, swscanf,
_stscanf, snscanf, snwscanf, _sntscanf
_itoa, _itow, _i64toa, _i64tow,
_ui64toa, _ui64tot, _ui64tow, _ultoa,
_ultot, _ultow
gets, _getts, _gettws
IsBadWritePtr, IsBadHugeWritePtr,
IsBadReadPtr, IsBadHugeReadPtr,
IsBadCodePtr, IsBadStringPtr
strlen, wcslen, _mbslen, _mbstrlen,
StrLen, lstrlen
6th OWASP AppSec Conference – Milan – May 2007
No Weak Crypto
No new code must use:
MD4, MD5, SHA1 (use SHA2 suite)
DES (use AES)
RC4 (without crypto review)
No symmetric keys <128 bits
No RSA keys < 1024 bits
No weak random number generation
No embedded ‘secrets’
Be “crypt agile”
6th OWASP AppSec Conference – Milan – May 2007